Lab 9b - Apache SSL

The Apache installation on CentOS already comes with SSL enabled. So for this lab exercise, we will remove some of the existing configuration so you understand the processing of configuring SSL from the beginning.

The first step is to set up the public and private encryption keys that will be used for SSL. The public key will be contained inside a certificate, so we need to create a private key for the web server, as well as public certificate that the web server will send out to clients.

First begin by removing the existing SSL server key and certificate:

cd /etc/pki/tls/certs

_{rm ../private/localhost.key} (The server’s private key, used to sign the certificate)

_{rm localhost.crt} (The web server’s certificate)

Now generate new ones. Enter the command below and make sure you are in _{/etc/pki/tls/certs}. Make sure you enter the command ALL ON ONE LINE:

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ../private/localhost.key -out localhost.crt

Be sure to answer the questions as best you can. In particular, when it asks for the Common Name, you should enter your web server’s DNS name (e.g. www.it.netserv.edu.au), or you can use a wildcard entry (e.g.

*.it.netserv.edu.au).

This process should have generated two new files – _{../private/localhost.key} (the new private key for the web server) and localhost.crt (the new certificate).

These filenames are configurable in the SSL configuration file _{/etc/httpd/conf.d/ssl.conf}, but it is easiest for us now to use the defaults.

Now we are finished with generating the keys/certificates. For the next step, we will specify a new DocumentRoot for the SSL web server, so that SSL web pages come from a different location. SSL in Apache is configured as a module, and the configuration files for Apache modules are in _{/etc/httpd/conf.d}. Change to that directory and edit the _ssl.conf file.

Search the _ssl.conf file for a DocumentRoot directive. It should initially be commented out, meaning that the SSL web server by default will serve documents from the same directory as the normal (non-SSL) web server. For testing, uncomment the DocumentRoot directive in _ssl.conf, and change it to point to a new directory, e.g.

/var/www/secure. Create this new directory and put a simple index.html file inside.

Now start/restart httpd using _systemctl.

Test your web server by accessing a “https” URL, e.g.

https://www.it.netserv.edu.au/

You will get a warning about the certificate, because it is self-signed. Choose “Advanced”. Note the warning about a self-signed certificate. View the certificate (you should see the details you entered earlier). Then “Accept the risk and continue”. If you’ve done the configuration correctly, you should see your “secure” web page show up.